From

Thank you

Sorry

If you're like most companies that hire security consultants, you're reading this blog for advice you'll never use. You'll tell me that security is a priority, but your inaction will say otherwise. You'll be like the guy who joins the gym in January and quits by March, or the woman who consults with her nutritionist in the morning, then has pizza for lunch. Or like the recent college grad I've been mentoring, who tells me she has done "everything" to get a better job. Everything?

I asked if she had updated her resume to be specific for each job to which she is applying. No. I asked if she had gone door to door through local businesses dropping off resumes. No. I asked if she had sent out any resumes at all. No. I asked if she had called her university asking for help with job placement. No. I asked if she had been reading the local newspaper ads and applying for those jobs. No. I asked if she had talked to the two local business leaders that I had referred her to who said they could get her better jobs. Again no.

When I asked what she had done to improve her job prospects, she said she had applied on Monster.com eight months ago. That resulted in malicious phishers targeting her with bogus "at home" jobs.

Obviously, my definition of her trying everything was not aligning with her definition. As far as I could tell, she wanted someone to hit her on the head with a job.

Catch security in a bottleI have many clients who seem to think security also strikes like lightning. They complain about how they are getting hacked and owned, but they aren't even doing the simple stuff -- the steps security experts have been advocating forever. They keep trying more and more advanced mechanisms to protect themselves, such as NIDS (network intrusion detection systems), HIDS (host-based intrusion detection systems), and multifactor authentication, only to find that they're owned again and again.

For example, not a single customer I've audited in more than two decades has patched the applications that are the most likely to be attacked. I always start the security audit by asking the customer if they patch their software, both the operating system and applications, in a timely manner. Most say yes. Then I check the first workstation or server and find it's unpatched. Most of time the operating system has been patched, but they haven't patched Adobe Flash Player, Adobe Acrobat, or Java in months or even years. It's no coincidence that the most commonly exploited applications are these same three chronically unpatched apps. When I tell the admin about the missing patches, he'll typically say that application patches are someone else's responsibility or seem uninterested.